[HN Gopher] Tailnet Lock
___________________________________________________________________
Tailnet Lock
Author : iyaja
Score : 166 points
Date : 2022-12-14 17:07 UTC (5 hours ago)
(HTM) web link (tailscale.com)
(TXT) w3m dump (tailscale.com)
| KingMachiavelli wrote:
| Wow, I was advocating for switching to Tailscale (from just
| manual SSH key management) and was asked if we could do pretty
| much exactly this. Great to see such quick progress.
| ignoramous wrote:
| > _...by architecting our infrastructure with security and
| privacy in mind._
|
| The blog and the website loads in so many trackers (reasonable,
| given metrics are important when you're busy hyperscaling a
| venture-backed startup), that folks at Tailscale should seriously
| reconsider positioning themselves as some paragons of privacy. No
| offence (:
| cpach wrote:
| Are you sure people who complain about such things are in
| Tailscale's target demographic?
| yjftsjthsd-h wrote:
| Well, if Tailscale is bothering to talk about "architecting
| our infrastructure with security and privacy in mind", _they_
| seem to think so.
| fsociety wrote:
| Why does a for-profit company have to practice perfect
| anonymity to sell a product which does have security/privacy in
| mind?
| ignoramous wrote:
| > _Why does a for-profit company have to..._
|
| https://news.ycombinator.com/item?id=25457440
|
| > _...practice perfect anonymity to sell a product which does
| have security /privacy in mind?_
|
| _So are free users "the product?" No. If we're going to fix
| the Internet, there's no point only fixing it for big
| companies who can pay a lot. That misses the point of the
| whole adventure. The Internet is for everyone. We have to fix
| it for everyone, or why bother? We knew we had to design a
| business model and a technical architecture that removes any
| incentive to abuse your privacy._ - CEO at Tailscale,
| https://archive.is/R7jqw
| slig wrote:
| > website loads in so many trackers
|
| Not on my browser. Maybe you should consider a better browser
| and/or install some extensions.
| yjftsjthsd-h wrote:
| The term for this is "victim blaming", and the answer is "no,
| that shouldn't be necessary".
| slig wrote:
| But that's the reality of the web. We can complain or we
| can block those things.
| ignoramous wrote:
| And we can call out things, just the same.
| unshavedyak wrote:
| For basic tunneling into home servers, is Tailnet.. overkill? Ie
| i could expose my IP via Dyn DNS, or i could use something like
| Cloudflare or Tailnet to tunnel into the network. However.. i'm
| not sure what the right fit is. Would you recommend Tailnet for
| someone who just wants to expose some internal IPs to the public
| in a safe way?
|
| Tunneling compared to Dyn DNS at least has the advantage of more
| security via reduced access to ports. So maybe that alone is
| worth $5/m. .. well, $10/m, since i have two users. $10/m seems a
| bit steep just for some small access to my internal network for
| things like Camera Feeds, etc.
|
| Dyn DNS + some safe self hosted VPN might be more affordable and
| just as safe compared to Tailscale.
|
| .. thoughts on the best service to price ratio for my needs?
| 0x0000000 wrote:
| Dynamic DNS with wireguard works great, especially for a small
| footprint (sounds like you only have one LAN you want to access
| remotely, not multiple sites). It'll be free, and you won't
| have any cloud centralized service you're dependant on.
|
| Personally I host both of these services (dynamic DNS client,
| wireguard server) right on my WAN edge router, but you could
| also run it on a host (e.g., VM or raspberry pi) inside the
| LAN.
| unshavedyak wrote:
| How was wireguard setup? My fear with manually setting up
| wireguard is making some mistake that compromises security.
|
| While i like free (selfhosting), my gut says $5/m would be
| worth having Tailscale manage security for me to ensure it's
| done right.
| 0x0000000 wrote:
| I'd say it depends on how many remote clients you plan to
| have, since you have to manually configure the associated
| key per client. Unlike a traditional VPN which was just
| username/password based (from the user perspective, anyway)
| wireguard is based on keys, which means if you want to get
| in remotely, you need to have a key which has been
| configured. If you only have a few clients, this is easy
| enough to get going. If you have lots of clients, or want
| to be able to easily add new clients, I can see it becoming
| cumbersome.
|
| As far as setting it up securely, I don't think you're any
| worse off doing it yourself compared to using tailscale.
| You can define what networks each client may access.
| Personally I run wireguard on top of OpnSense, so I also
| have firewall rules in place to limit what any client can
| do from my remote-access network towards other parts of my
| network.
| TheFlyingFish wrote:
| Depends on whether you're talking about stuff that you actually
| want to be "exposed to the public" (i.e. can receive traffic
| from any IP) or just "accessible from outside the LAN."
|
| If the former, Tailscale isn't really a good fit since it only
| permits access to authenticated devices.
|
| If the latter, Tailscale is perfect. It's a VPN in the original
| sense of the world, "private" being the operative term - your
| devices can communicate as if they were all on the same LAN,
| without worrying about their traffic being eavesdropped.
|
| As for the pricing, I'm fairly confident that Tailscale won't
| mind if you're sharing a free plan (so single-user) across e.g.
| your laptop and your wife's, even though there are technically
| two "users" there. They've made it pretty clear that the divide
| they care about is "personal use free, company use paid."
| unshavedyak wrote:
| On the note of free plan. It's actually a bit of a shame.. i
| want to pay, i like $5/m, but it looks like $5/m is less
| devices than if i used free?
|
| Though i just noticed that the Personal Pro plan works with
| up to 100 devices for $4/m. Might give that a try. I really
| like paying.. as i hate free VC services.
|
| _edit_ : Wow, the signup requirement is bizarre though. I
| don't have or want Google or Microsoft.. i do have a Github,
| which i guess i'll have to use... but what the hell? So odd
| that i can't just signup with my email.
| TheFlyingFish wrote:
| Yeah, they get a lot of flak for that from HN. Doesn't
| bother me personally, but I can see why it would be a
| dealbreaker for some people. On the other hand, I
| sympathize with their decision to just not have to worry
| about storing passwords, account recovery, and all the
| associated headaches, because I hate those headaches too.
|
| My guess is they will eventually add a sign-up-with-email
| option, but it's pretty far from the top of their priority
| list.
| unshavedyak wrote:
| In researching the email issue i saw a fair number of
| people arguing to decouple accounts from identities. I
| thought that was fair. I use Github and i have no problem
| there, but i didn't want some snafu on my account
| (Github) to somehow block my home network access.
|
| So i just signed up with an alternate Github "Identity"
| account to use with Tailscale. Still feels weird, but
| we'll see how it goes.
| infogulch wrote:
| Note a discussion elsethread about this where a
| tailscalar chimed in:
| https://news.ycombinator.com/item?id=33987904
| infogulch wrote:
| An interesting collab between cloudflare and tailscale could be
| to add cloudflare tunnel as a tailnet node to proxy public
| traffic into your private tailnet (with acls managed by your
| tailnet) as an alternative to opening ports on your firewall.
| This would give you true public access (if that's what you
| want) but also hide your ip and protect you from ddos etc.
| https://www.cloudflare.com/products/tunnel/
| ohbtvz wrote:
| Why is there a post by tailscale on the front page every single
| day?
| zellyn wrote:
| As a (typical?) HNer, there are many reasons. (a) TailScale was
| founded and is populated by people I followed online before,
| during, and after my and their tenures at Google, or just
| followed online already if they're not Xooglers (b) their
| product is extremely useful, and almost every non-enterprisey
| new feature they add is immediately or potentially useful to
| me, and I'm only running a couple of Raspberry Pis and a
| Minecraft server (c) I like Go, and they use Go extensively,
| often improving Go in the process, or at least documenting
| interesting performance characteristics and application design
| architectures (d) they have managed to find an interesting and
| rare balance point, to applying commercially viable product
| funding to a whole host of open source improvements and
| contributions, and (e) the basic components of their product
| (Wireguard, networking details, Kernel integration, etc.) are
| extremely in my areas of interest even independent of the
| product itself.
|
| Also, they're just awesome folks!
| silisili wrote:
| TheFlyingFish wrote:
| Obviously "every single day" is hyperbole, but I agree with you
| that a much higher proportion of Tailscale blog posts end up on
| the front page than most corporate blogs.
|
| Finally I think it comes down to this: Tailscale is full of the
| same kind of people who tend to hang out on Hackernews. HN
| loves Tailscale because Tailscale is HN's ingroup.
|
| Fly.io is in a similar situation, and similarly sees a higher-
| than-average fraction of their blog posts getting traction on
| HN.
|
| For an interesting _counterexample_ , look at warp.dev. They
| have a lot of the same markers - tackling an interesting
| problem that affects many HNers daily (the limitations of the
| terminal), building things from the ground up in Rust, and
| writing highly technical blog posts about it - but at the same
| time, it's clear that as an organization, they _don 't quite
| get it_. They can't understand, for instance, why putting
| telemetry in their terminal emulator is absolute suicide as far
| as HN is concerned, or why "moving the terminal to the cloud"
| is a phrase that will never make HN happy. Unlike Tailscale and
| Fly, they are not "of the race that knows Joseph", as it were.
|
| That's not to say that there aren't individuals at Warp who
| _are_ members of the HN ingroup. But at the organizational
| level, Warp just _isn 't quite it_.
| Ao7bei3s wrote:
| Tailscale are _the_ company pushing the state of the art in
| VPN's, and they write great, detailed technical articles and
| whitepapers about it. As someone who has worked on a different,
| more traditional, enterprise VPN product, this is extremely
| interesting to me. Most other companies have neither the cool
| tech (most haven't even switched from IPsec), nor the ability
| to put out anything other than marketing fluff, nor the focus
| to actually keep working on the core VPN tech instead of trying
| to check all boxes (monitoring/firewalling/device
| management/...) but not innovating anywhere. Tailscale also
| scales down to individual, private users, has a free plan, some
| open source code and an open source reimplementation, all of
| which appeals to the HN audience.
|
| This article in particular is interesting because Tailscale
| inserting malicious nodes is the #1 concern I had around their
| product, and their solution (tailnet locks) is interesting and
| probably better than the solution I would have come up with
| (using Wireguard's support for additional symmetric secrets).
| packetslave wrote:
| Because someone submits them, and others upvote them. It's
| really not complicated. There's no deep conspiracy to promote
| Tailscale here. They're not even a YC company.
| chipsa wrote:
| Baader-Meinhof
|
| They're not. It's just roughly when the post a new blog entry,
| which is... usually about once a week? Sometimes it's about new
| features, sometimes it's about internals which might be helpful
| for other people to know about (like the previous entry was
| about internals of the TUN/TAP, and how they managed to speed
| it up a bunch).
| presto8 wrote:
| This is a useful addition to Tailscale. But if one is going to
| manage public keys anyway, just use Nebula at that point?
| tiffanyh wrote:
| Cloudflare + Tailscale would be a super interesting combination
| for a business.
|
| I wonder if Tailscale is an acquisition target.
| lilyball wrote:
| Please don't give them any ideas
| TkTech wrote:
| From a business sense, it would likely be a reasonable and
| profitable acquisition for both parties.
|
| From a personal standpoint, I would like to see Cloudflare
| (among others) smashed into a neutral backbone provider and all
| its product offerings spun off, ala
| https://en.wikipedia.org/wiki/Breakup_of_the_Bell_System. It's
| dangerous for one company to control so much of the internet's
| infrastructure and it's causing massive problems (like
| https://news.ycombinator.com/item?id=32912075). Tailscale
| should remain independent.
| aborsy wrote:
| I am one of those users who have asked, but how can I trust that
| the Tailscale coordination server will not inject hidden public
| keys to my network.
|
| This feature is a very good step forward in security. I will take
| a look and if the implementation is sound, I am going to use
| Tailscale (namely if the Tailscale is compromised, I will not be
| automatically compromised, unless I manually accept external
| public keys, or install a bad update).
|
| The problem with malicious updates can be addressed by providing
| as easy way to check the code signature. With a standalone
| infrequently updated app such as an AppImage app, this can be
| easily done by verifying the GPG signature upon download.
| fragmede wrote:
| One option is _don 't_. Run tailscaled inside a container with
| host network access, that way you can connect to the host, but
| it doesn't have the ability (unless it escapes the container)
| to write (ssh) keys.
| akerl_ wrote:
| I think y'all are talking about different things; the parent
| comment seems to be talking about injecting additional keys
| into the tailnet (basically, letting other devices
| communicate inside your Wireguard VPN).
| lilyball wrote:
| If you don't want to trust the Tailscale coordination server,
| and decide that tailnet lock is not for you, have you taken a
| look at Headscale? https://github.com/juanfont/headscale
| sneak wrote:
| How can I trust that I can log in and administer my network
| when Google kills my Google Account login or Microsoft kills my
| GitHub Account?
|
| Big tech surveillance orgs being the SSO is an SPoF for the
| administration of the network. For something as critical as L3,
| I can't accept that.
|
| I just use Nebula instead. It doesn't have a spiffy web
| interface or ssh auth chrome bolted on, but it works great for
| my purposes and it doesn't involve Google or Microsoft at any
| point.
| crawshaw wrote:
| Tailscalar here.
|
| IdP trust is on the list. There are some "easy" things we can
| do that help on the surface but make life harder for users.
| And there are some not-so-easy things we are researching. I
| hope to have answers in 2023.
| unshavedyak wrote:
| re: IdP, assuming that means signing up without
| Microsoft/Google (which really bother me too), would it be
| possible to migrate a Github account to .. whatever you all
| implement _(email signup/etc)_?
| sureglymop wrote:
| I recently read this blog [0] about how tailscale was
| thinking of open sourcing a small coordination server but
| headscale had already been created so that effort was put
| on hold.
|
| Is tailscale at this point in any way involved in headscale
| or contributing to it or are there plans to fork it to keep
| it maintained?
|
| Asking out of curiosity.
|
| [0]: https://tailscale.com/blog/opensource/
| bradfitz wrote:
| We hired one of the Headscale developers and let him work
| on it (as part of his job, not just moonlighting) and we
| help out when there are issues and give them a heads-up
| when protocol changes/etc are coming.
| makeworld wrote:
| This is such an outstanding response to the existence of
| Headscale that I struggle to understand it. Why not just
| open source Tailscale's control server? Don't get me
| wrong though, what you guys are doing now is great.
|
| Edit: some explanation here:
| https://tailscale.com/blog/opensource/
| sureglymop wrote:
| That's great news! Makes me confident to actually try out
| headscale+ tailscale! Thank you.
| kerneis wrote:
| I found the blog post slightly confusing because it never
| explicitly spells out that endorsing a new node is a manual
| operation that the administrator has to perform from one of the
| trusted nodes. Of course this is what you'd want, anything
| automatic would ruin the purpose of tailnet lock. But still not
| seeing it mentioned, neither in the text nor in the pictures,
| made me wonder what I had missed, until I watched the video which
| features that very step as part of the demo.
| mdeeks wrote:
| I had the same issue. I think the idea is that you build
| something yourself on a trusted node that decides whether or
| not to endorse a new node.
|
| Off the top of my head I'd do something dead simple like verify
| the user account matches our domain and then also query an
| inventory system to verify it is indeed a device we manage
| through MDM (though I'm not sure how this will work for mobile
| devices. We don't MDM those).
|
| When a new device attempts to join you should have some data on
| it via the API (User, OS, Tailscale version, source IP, machine
| name). You could use that data to decide to endorse it or not.
| xena wrote:
| Hey @dang can you update this to "Tailnet Lock"? This is about a
| feature named "tailnet lock", not a hiring freeze :)
| altairprime wrote:
| "@dang" doesn't do anything on HN. Emailing the mods using the
| footer Contact link is the fastest way - and the only certain
| way - to get the mod team's attention (including but not
| limited to dang).
| dang wrote:
| Fixed now. Thanks!
| darthShadow wrote:
| Should be tailnet lock rather than talent lock... :)
| blymphony wrote:
| Sounds like a fancy name for a hiring freeze
| radicaldreamer wrote:
| I thought I read the title wrong when I got to the post... I
| was like man I'm seeing hiring freezes and layoffs everywhere
| these days!
| denlekke wrote:
| "Talent Lock": the new MBA euphemism for H1-Bs
| [deleted]
| teaearlgraycold wrote:
| At this point I have no idea why HN cares so much about a VPN
| company, but I'm too afraid to ask.
| jchw wrote:
| For personal stuff, it feels totally new. It's like having your
| own intranet. It's like being on LAN with all of your personal
| devices, plus any bridged into your tailnet, at all times,
| anywhere on earth. You can route your internet traffic through
| another machine, or not (default.) It has built-in basic file
| transfer, and a nice little SSH bridge.
|
| Technologically, it's based on Wireguard. Wireguard is fast;
| really fast, especially compared to OpenVPN. Using cutting edge
| cryptography and a new UDP protocol, Wireguard connections feel
| roughly zero-overhead (they're not, of course.) Connections are
| peer-to-peer and you usually will get pretty close to the
| fastest reasonable route between any two devices, whether
| you're on LAN or overseas, whether there's a strong NAT in
| front or not.
|
| They've also engineered a lot of things carefully, instead of
| just cobbling together existing end-user tools in Rube Goldberg
| arrangements. (Not saying there isn't use of existing code;
| there totally is. But it's all very nicely integrated from what
| I can see.) Doing things "the hard way" can lead to more
| complicated software, but the way they've architected things
| makes the possibilities for expanding the utility of Tailscale
| to be nearly limitless. It's also amazingly entertaining to
| read about. Seriously, just read about how their web browser
| SSH client works:
|
| https://tailscale.com/blog/ssh-console/
| ukd1 wrote:
| Did you ever use Zero Tier before?
| jchw wrote:
| I tried, but I couldn't get it to work at all. I don't
| really know what I was doing wrong, it just hang without
| connecting. It's been a while and I haven't tried since.
| 0x0000000 wrote:
| It's a usability thing, IMO.
|
| Historically you had enterprise-grade VPNs that cost a lot of
| money, or OpenVPN. Both ran over IPSec or SSL, and neither were
| super straightforward to config/maintain, nor were they
| particularly performant.
|
| Then came wireguard, which is awesome, but wireguard is just a
| transport. It doesn't have all the UX niceties built on top of
| it, like registering clients or generating / distributing keys.
| Tailscale does a lot of that lifting for you, so you can easily
| and quickly get a working VPN, at a low cost, with good
| performance.
|
| Personally I manage wireguard myself, but I also self-host my
| own VMs, storage server, applications, etc.
|
| Tailscale is like taking your car in for an oil change instead
| of doing it yourself, plenty of people find that worth it.
| teaearlgraycold wrote:
| What does everyone use it for?
| gog wrote:
| I have a Tailscale client running on my NAS at home, this
| allows me to access stuff at home when I am not there,
| mostly my Home Assistant instance but sometimes the files
| on the NAS as well.
|
| Without Tailscale I would need a way to publish my routers
| current WAN address somehow (probably with DDNS), create a
| port forward rule on my ISPs router/modem and then setup a
| VPN server to listen to those connections.
|
| Not to mention that the current ISP doesn't even allow me
| to login to their modem and setup port forwarding.
| mbesto wrote:
| A few use case:
|
| - I have a SOHO setup at home: several PCs/ my work laptop,
| raspberry pi, synology and ubiquiti. It means I can access
| ubiquiti console and synology via network as opposed to be
| some janky proxy that those company's provide.
|
| - taildrop is great for sending screenshots and files from
| my phone to (can't wait until they let me send
| URLs/links/txt like KDEConnect)
|
| - I also have a raspberry pi setup in an ABNB in another
| country. When I'm traveling I can use my house as a proxy
| for US based services and the reverse is true - if I want
| my browsing to look like my IP address in another country I
| can.
| TheFlyingFish wrote:
| Not GP, and I can only answer for myself, but:
|
| Personally, I use it to connect my home devices as if they
| were always together on the same LAN, even when they're
| not. E.g. Raspberry Pi, home NAS, "home" server that's
| actually in a different physical location, etc. All
| accessible anywhere at any time, even (say) from my laptop
| in a moving vehicle, without connections dropping even when
| my IP changes. It really is like magic.
|
| At work, we use it so that remote employees can access
| locally-hosted applications, office NAS, etc. ACLs make it
| easy to employ the principle of least privilege, so that
| having a route into the office LAN doesn't immediately mean
| any and every device is compromised.
| TkTech wrote:
| I have it on all my personal and family servers and
| devices. I use it so that for both myself and my family all
| our internal stuff (unraid network shares, jellyfin,
| homepages, photo backups, etc, etc) "just works" for the
| less technical members of the family even when they're not
| at home. It seamlessly detects when the peer is local so it
| doesn't route out to the internet and back, has an easy ACL
| to segment things (wife's phone doesn't need access to dd-
| wrt), and a bunch of other features.
|
| We've been able to do this with existing VPNs for a long,
| long time, but tailscale is by far the most painless
| offering I've ever used and I migrated away from OpenVPN
| completely.
| pyinstallwoes wrote:
| Can you use it like a VLAN for segmenting devices? I have
| eero's and a firewalla but since my eero's don't support
| tagged vlan traffic I can't segment my devices as much as
| I'd like to.
| mbesto wrote:
| (not an expert here) but my understanding is: sort of. I
| believe the biggest difference is that VLAN operates at
| Layer 2 and Wireguard works at Layer 3.
| influx wrote:
| I use it on my EC2 dev box and my home network, allowing me
| to block ssh on all the firewalls, yet ssh freely between
| all of them.
| shawnz wrote:
| This solves the #1 concern I had with tailscale. Now I feel
| comfortable recommending this software to anybody.
| wooltail wrote:
| It still makes me jittery how much stuff they've packed into
| the client. The RCE vulnerability in their windows client is
| pretty strong indicator that things are moving a bit too fast
| for comfort.
| chabad360 wrote:
| To be fair, the exploit chain was rather complex. Had it been
| more straight forward I'd be worried, but with the amount of
| pivoting required to make the exploit work it seems more like
| something even a security conscious developer could miss.
| jabroni_salad wrote:
| My fortinet footprint would like to assure you that stuff
| which moves slowly also has problems. I try not to hold a CVE
| against anyone unless they are extremely stupid and reveal a
| lack of any technical controls.
|
| wireguard is a linux-first solution and all of the windows
| stuff for it is subgrade, and probably will continue to be
| for awhile. Still selling plenty of anyconnect/globalprotect
| have a stranglehold on windowsland and probably will for a
| long time.
| jchw wrote:
| Agreed: I do feel the Windows client in particular is a
| little scary. In general, Tailscale clients feel reasonable,
| if light; but the Windows client is kind of iffy. There's a
| bug that I believe still exists where on some machines, it
| will crash on startup most of the time, seemingly the result
| of a race condition or other bug where GetLastError returns
| something unexpected, in a not-very-well maintained Win32 API
| wrapping library for Go. This is mostly benign (although
| annoying) but the contrast in how competent Tailscale seems
| to be about the core guts vs the clients feels a little
| jarring at times! Still love it though.
| bradfitz wrote:
| FWIW, we've recently taken over maintenance of those Go
| libraries because they seem to have been abandoned
| upstream. And we now have people working on Windows full-
| time. (Early on, the Tailscale team was all primarily Linux
| and macOS users so Windows was admittedly neglected for too
| long)
| jchw wrote:
| It amazes me how you're seemingly always on top of any
| concern I or others could have. Thanks for the
| information.
| dblohm7 wrote:
| Tailscalar here.
|
| There were a few things going on with that issue you
| mentioned; one of them is the way the wrapper library was
| written, the other was with some stuff in the GUI client
| that was happening on a background goroutine but shouldn't
| have been. That should be fixed in the current stable
| release.
|
| As for the Windows client in general, it is going to be
| receiving a lot of love over the next few months!
| jchw wrote:
| I see; I need to update the client on one of my machines.
| I appreciate the heads up, as it is quite frustrating to
| get it to start sometimes. Thanks!
|
| I'll have to check out the bug sometime, but it sounds
| like it's just bad luck with goroutine scheduling and the
| order things execute in, in a goroutine that isn't locked
| to a thread. I can see it going unnoticed on older
| versions of Go (especially prior to weirder things like
| usermode preemption.)
| bradfitz wrote:
| What bug are you thinking of? Got a GitHub issue link?
| jchw wrote:
| I believe it might be this one.
|
| https://github.com/tailscale/tailscale/issues/4133
|
| That said, I'm not near the computer where I have it
| occur right now to check.
| bradfitz wrote:
| That's hopefully fixed now in 1.34.0+. We'll see!
___________________________________________________________________
(page generated 2022-12-14 23:00 UTC)